The SSH host key has changed on 8 April, 2022 to this one: SHA256:573uTBSeh74kvOo0HJXi5ijdzRm8me27suzNEDlGyrQ
Sources of the site, Jekyll version
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

108 lines
5.3 KiB

Installing OTRS in Fedora 18 with SELinux enabled
:date: 2013-05-06T06:01:52Z
:category: blog
:tags: fedora,selinux,otrs
:url: blog/2013/5/6/installing-otrs-in-fedora-18-with-selinux-enabled.html
:save_as: blog/2013/5/6/installing-otrs-in-fedora-18-with-selinux-enabled.html
:status: published
:author: Gergely Polonkai
I’ve read somewhere in an OTRS installation howto that if you want to install OTRS, you will have
to disable SELinux. Well, I won’t.
During the last few months, I have been using Fedora 18 with SELinux on all of my desktop machines
and on my notebook, and I had no problems at all. Meanwhile I got familiar with SELinux itself,
and got used to solving problems caused by it. So I started ``tail -f /var/log/httpd/error_log``
in one terminal (to see if something Apache related thing appears), ``tail -f
/var/log/audit/audit.log`` in another (to see errors caused by SELinux), opened the admin manual
at the installation chapter, took a deep breath, and went on.
Throughout this article, I will refer to OTRS 3.2.6 as OTRS and Fedora 18 (with only “stock”
repositories) as Fedora. I assume that you have already installed OTRS in a non-SELinux
environment before, and that you have at least some basic knowledge about SELinux, MAC, RBAC, and
all the like. I’m installing OTRS in ``/opt/otrs``, so if you install it somewhere else, you will
have to modify the paths below. Also, if you happen to install under ``/var/www`` (I wouldn’t
recommend it), that directory already has the ``httpd_sys_content_t`` type, so you won’t have to
set it explicitly.
As the first step I have unpacked the archive to ``/opt/otrs``. This directory is the OTRS
default, many config files have it hardcoded, and changing it is no easy task.
Running ```` gave me a list of missing perl modules. Red Hat and Fedora makes
it easy to install these, as you don’t have to know the RPM package name, just the perl module
.. code-block:: shell
yum install 'perl(Crypt::SSLeay)' \
'perl(DBD::Pg)' \
'perl(GD)' \
'perl(JSON::XS)' \
'perl(GD::Text)' \
'perl(GD::Graph)' \
'perl(Mail::IMAPClient)' \
'perl(Net::DNS)' \
'perl(PDF::API2)' \
'perl(Text::CSV_XS)' \
I also needed to install ``mod_perl``. Although ```` didn’t mention it, the
default settings use syslog as the logging module, so unless you change it in ````, you
will also need to install ``'perl(Unix::Syslog)'``, either.
The default SELinux policy doesn’t permit any network connection to be initiated by Apache httpd.
As OTRS needs to connect to its database, you need to enable it explicitly. In older
distributions, the ``httpd_can_network_connect`` was the SELinux boolean for this, but recent
installations also have a ``httpd_can_network_connect_db`` flag. As far as I know, this enables
all network connections to the well-known database servers’ default port, but I will have to check
for it. For me, with a MySQL listening on its standard port, the ``setsebool
httpd_can_network_connect_db=1`` command just did it.
With SELinux enabled, Apache won’t be able to read anything that’s not marked with the
``httpd_sys_content_t`` type, nor write anywhere without the ``httpd_sys_rw_content_t`` type. The
trivial, quick and dirty solution is to label all the files as ``httpd_sys_rw_content_t``, and let
everything go. However, the goal of SELinux is just the opposite of this: grant access only to
what is really needed. After many trial-and-error steps, it finally turned out that for OTRS to
work correctly, you must set
* ``httpd_sys_content_t``
* on ``/opt/otrs/var/httpd/htdocs``
* ``httpd_script_exec_t``
* on ``/opt/otrs/bin/cgi-bin``
* ``httpd_sys_rw_content_t``
* on ``/opt/otrs/Kernel``
* on ``/opt/otrs/var/sessions``
* on ``/opt/otrs/var/log`` (unless you use syslog for logging)
* on ``/opt/otrs/var/packages`` (this is used only when you download an .opm package)
* on ``/opt/otrs/var/stats``
* on ``/opt/otrs/var/tmp``
* on ``/opt/otrs/bin`` (I wonder why this is required, though)
To do this, use the following command:
.. code-block:: sh
semanage fcontext -a -t <context> <directory regex>
Where ``<directory regex>`` is something like ``/opt/otrs/Kernel(/.*)?``. When this is done, all
you have to do is running ``restorecon -vR /opt/otrs`` so it will relabel everything with the
correct types (you can omit ``-v``, I just like to see what my software do).
The last thing I faced is that Fedora is more restrictive on reading directories other than
``/var/www``. It has a ``Require all denied`` on ``<Directory />``, and a ``Require all granted``
on ``<Directory /var/www>``, so ``/opt/otrs/var/httpd/htdocs`` will throw a ``403 Forbidden
(client denied by server configuration)`` error. To get rid of this, I had to modify
``scripts/apache2-httpd.include.conf`` and add ``Require all granted`` to both the ``cgi-bin`` and
``htdocs`` directories.
As I will have to use OTRS in a production environment soon with SELinux enabled, it is more than
sure that this list will change in the near future. As there are no official documentation on
this (I haven’t find one yet), I have to do it with the trial-and-error way, so be patient!